NSA ANT Handys, 30C3, Jacob Appelbaum, 30 December 2013 

Die NSA-Abteilung ANT entwickelt Implantate fur Handys und auch fur Sim-Karten. Die Spah- 
Software fur das erste iPhone namens DROPOUTJEEP etwa war im Jahr 2008, kurz nach der 
Markteinfuhrung, noch in der Entwicklung. Sie sollte es erlauben, aus der Feme Dateien vom Hanc 
herunter- und andere darauf zu laden, SMS abzuzweigen, das Adressbuch auszulesen, Voicemals 
abzufangen, das Mikrofon und die Kamera nach Belieben zu bedienen, die aktuell benutzte Funkz< 
zu ermitteln, den Aufenthaltsort des Besitzers mitzuteilen "und so weiter", wie es im Katalog heiBt. 
Fur spezielle Falle entwickeln die ANT-Techniker auch modifizierte Handys, die wie normale 
Standardgerate aussehen, aber diverse Informationen an die NSA weiterleiten - zum unbemerkter 
Austausch Oder zur Weitergabe an Informanten und Agenten. 2008 waren Modelle von Eastcom u 
Samsung im Angebot- mittlerweile durften weitere hinzugekommen sein. 

DROPOUTJEEP ist ein Implantat fur Apples iPhone-Betriebssystem iOS, das die Fernsteuerung u 
SMS Oder Datendienste ermoglichen soil. Laut des NSA-Dokuments soil es diverse Moglichkeiten 
bieten: Dateien herunter- oder auf das Handy hochladen, SMS auslesen, Adressbuch auslesen, 
Voicemail abhoren, Standortdaten erfassen, Mikrofon und Kamera unbemerkt einschalten, Funkze 
bestimmen. Anfang 2008 war es noch in der Entwicklung. 

GOPHERSET: Ein Implantat fur GSM SIM-Karten, das uber verborgene Funktionen das Telefonbu 
Kurznachrichten (SMS) und das Protokoll ab- und eingehender Gesprache ausliest. 

MONKEYCALENDAR ist eine Angriffs-Software, die es ermoglicht, SIM-Karten dazu zu bringen, 
Standortinformationen als verborgene SMS zu versenden. 

TOTECHASER ist ein Implantat, das sich im Flashrom des Thuraya 2520 Satellitentelefons 
verbergen und Daten des eingebauten Windows CE uber versteckte SMS-Funktionen weiterreiche 
soil. 

TOTEGHOSTLY ist ein Implantat aus der STRAITBIZARRE-Familie der NSA, das die vollstandige 
Fernsteuerbarkeit von Windows Mobile Phones ermoglicht. Es soil diverse Moglichkeiten bieten: 
Dateien herunter- oder auf das Handy hochladen, SMS auslesen, Adressbuch auslesen, Voicemai 
abhoren, Standortdaten erfassen, Mikrofon und Kamera einschalten, Funkzelle bestimmen. 

PICASSO ist ein modifiziertes Mobiltelefon, das uber GSM-Netze als Ortungs- und Audiowanze 
agiert. Die Daten werden uber USB-Schnittstelle oder verborgene SMS aus dem Gerat ubertragen 
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DROPOUTJEEP 

ANT Product Data 



(TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for 
the Apple iPhone operating system and uses the CHIMNEYPOOL framework. 

DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported 10/01/08 
in the TURBULENCE architecture. , 




(U//FOUO) DROPOUTJEEP - Operational Schematic 



(TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that 
utilizes modular mission applications to provide specific SIGINT functionality. This 
functionality includes the ability to remotely push/pull files from the device, SMS 
retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell 
tower location, etc. Command, control, and data exfiltration can occur over SMS 
messaging or a GPRS data connection. All communications with the implant will be 
covert and encrypted. 

(TS//SI//REL) The initial release of DROPOUTJEEP will focus on installing the 
implant via close access methods. A remote installation capability will be pursued 
for a future release. 



Unit Cost: $ 0 

Status: (U) In development 

POC: U//FOUO I | S32222, 1 
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GOPHERSET 

ANT Product Data 



(TS//SI//REL) GOPHERSET is a software implant for GSM (Global System for 
Mobile communication) subscriber identify module (SIM) cards. This implant pulls 
Phonebook, SMS, and call log information from a target handset and exfiltrates it to 
a user-defined phone number via short message service (SMS). 
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(U//FOUO) GOPHERSET - Operational Schematic 



(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface 
known as the SIM Toolkit (STK). The STK has a suite of proactive commands that 
allow the SIM card to issue commands and make requests to the handset. 
GOPHERSET uses STK commands to retrieve the requested information and to 
exfiltrate data via SMS. After the GOPHERSET file is compiled, the program is 
loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard 
reader or via over-the-air provisioning. In both cases, keys to the card may be 
required to install the application depending on the service provider's security 
configuration. 



Unit Cost: $0 

Status: (U//FOUO) Released. Has not been deployed. 

POC: U//FOUO^^^B S32222.^^^H^^H^nsaxig\ 
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MONKEYCALENDAR 

ANT Product Data 



(TS//SI//REL) MONKEYCALENDAR is a software implant for GSM (Global System 
for Mobile communication) subscriber identify module (SIM) cards. This implant 
pulls geolocation information from a target handset and exfiltrates it to a user- 
defined phone number via short message service (SMS). 



10/01/08 
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(U//POUO) MONKEYCALENDAR - Operational Schematic 
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(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface 
known as the SIM Toolkit (STK). The STK has a suite of proactive commands that 
allow the SIM card to issue commands and make requests to the handset. 
MONKEYCALENDAR uses STK commands to retrieve location information and to 
exfiltrate data via SMS. After the MONKEYCALENDAR file is compiled, the 
program is loaded onto the SIM card using either a Universal Serial Bus (USB) 
smartcard reader or via over-the-air provisioning. In both cases, keys to the card 
may be required to install the application depending on the service provider's 
security configuration 



Unit Cost: $0 

Status: Released, not deployed. 

POC: U//FOUO 
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TOTECHASER 

ANT Product Data 



(TS//SI//REL) TOTECHASER is a Windows CE implant targeting the Thuraya 2520 
handset. The Thuraya 2520 is a dual mode phone that can operate either in SAT or 
GSM modes. The phone also supports a GPRS data connection for Web browsing, 
e-mail, and MMS messages. The initial software implant capabilities include 
provi din g GPS a nd GSM geo-location info rmati on. Call log, contact list, a nd other 



10 / 01/08 



user information can also be retrieved from the phone. Additional capabilities are 
being investigated. 




Collection 
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(Uf/FOUO) TOTECHASER - Operational Schematic 

(TS//SI//REL) TOTECHASER will use SMS messaging for the command, control, 
and data exfiltration path. The initial capability will use covert SMS messages to 
communicate with the handset. These covert messages can be transmitted in 
either Thuraya Satellite mode or GSM mode and will not alert the user of this 
activity. An alternate command and control channel using the GPRS data 
connection based on the TOTEGHOSTLY implant is intended for a future version. 

(TS//SI//REL) Prior to deployment, the TOTECHASER handsets must be modified. 
Details of how the phone is modified are being developed. A remotely deployable 
TOTECHASER implant is being investigated. The TOTECHASER system consists 
of the modified target handsets and a collection system. 

(TS//SI//REL) TOTECHASER will accept configuration parameters to determine 
how the implant operates. Configuration parameters will determine what information 
is recorded, when to collect that information, and when the information is exfiltrated. 
The configuration parameters can be set upon initial deployment and updated 
remotely. 

Unit Cost: $ 



Status: 

POC: U//FOUOI 
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TOTEGHOSTLY 

ANT Product 



2.0 

Data 



(TS//SI//REL) TOTEGHOSTLY 2.0 is a STRAITBIZARRE based implant for the 
Windows Mobile embedded operating system and uses the CHIMNEYPOOL 
framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, 
therefore it is supported in the TURBULENCE architecture. 
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(U//FOUO) TOTEGHOSTLY - Data Flow Schematic 

(TS//SI//REL) TOTEGHOSTLY 2.0 is a software implant for the Windows Mobile 
operating system that utilizes modular mission applications to provide specific 
SIGINT functionality. This functionality includes the ability to remotely push/pull files 
from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, 
camera capture, cell tower location, etc. Command, control, and data exfiltration 
can occur over SMS messaging or a GPRS data connection. A FRIEZERAMP 
interface using HTTPSIink2 transport module handles encrypted communications. 



(TS//SI//REL) The initial release of TOTEGHOSTLY 2.0 will focus on installing the 
implant via close access methods. A remote installation capability will be pursued 
for a future release. 



(TS//SI//REL) TOTEGHOSTLY 2.0 will be controlled using an interface tasked 
through the NCC (Network Control Center) utilizing the XML based tasking and data 
forward scheme under the TURBULENCE architecture following the TAO GENIE 
Initiative. 



Unit Cost: $0 

Status: (U) In development 



POC: U//FOUO 
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PICASSO 

GSM HANDSET 



(S//SI//REL) Modified GSM (target) handset that collects user data, location 
information and room audio. Command and data exfil is done from a laptop and 
regular phone via SMS - (Short Messaging Service), without alerting the target. 
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(S//SI) Target Data via SMS: 

• Incoming call numbers 

• Outgoing call numbers 

• Recently registered networks 

• Recent Location Area Codes (LAC) 
•Cell power and Timing Advance 
information (GEO) 

•Recently Assigned TMSI, IMSI 
•Recent network authentication 
challenge responses 

• Recent successful PINs entered into 
the phone during the power-on cycle 
•SW version of PICASSO implant 

•* Hot-mic’ to collect Room Audio 

• Panic Button sequence (sends location 
information to an LP Operator) 

• Send Targeting Information (i.e. 
current IMSI and phone number when it 
is turned on - in case the SIM has just 
been switched). 

•Block call to deny target service. 



(S//SI//REL) Handset 
Options 

•Eastcom 760c+ 

•Samsung E600, X450 

•Samsung C140 

•(with Arabic keypad/language option) 



GSM Network 
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(S//SI) PICASSO Operational Concept 

(S//SI//REL) Uses include asset 
validation and tracking and target 
templating. Phone can be hot 
mic’d and has a “Panic Button" 
key sequence for the witting user. 



Status: 2 weeks ARO (10 or less) 
Unit Cost: approx $2000 
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